Capitol - Your Illinois News Radar » AG office was hit by massive ransomware attack, potentially linked to Russia
SUBSCRIBE to Capitol Fax      Advertise Here      Mobile Version     Exclusive Subscriber Content     Updated Posts    Contact
To subscribe to Capitol Fax, click here.
AG office was hit by massive ransomware attack, potentially linked to Russia

Friday, Apr 30, 2021

* Rachel Hinton

A “ransomware” group potentially linked to Russia has uploaded to a website scores of documents it says were stolen from Illinois Attorney General Kwame Raoul’s office over two weeks after the state’s top law enforcement officer first reported his office’s computer network was compromised.

Raoul had declined to publicly provide details of the hack, but on Thursday, he issued a follow-up statement, saying his office has set up a toll-free hotline for those seeking more information on the breach, which could include “names, addresses, email addresses, Social Security numbers, health insurance and medical information, tax information, and driver’s license numbers.” […]

The latest announcement comes after the ransomware group DoppelPaymer posted 68 documents it said are from the attorney general’s office, as well as other entities they’ve hit, on a website on which a user can find “private data of the companies which were hacked by DoppelPaymer.”

According to the website, the “companies decided to keep the leakage secret. And now their time to pay is over.”

This happened weeks ago and the AG’s office is only now finally telling the public about a ransomware attack? Before, all they would say was they were hacked.

* From the attorney general…

Attorney General Kwame Raoul today announced the Office of the Attorney General is notifying the public in accordance with state statute, of a ransomware attack that has compromised the office’s network. While the extent of the information compromised is currently under investigation, the Attorney General’s office is launching a toll-free hotline and providing additional information to the public via its website.

The Attorney General’s office, aided by law enforcement and external technology experts, continues to evaluate the full extent of the compromise, including identifying the information that was exposed and what was done with that information. At the same time, work is taking place around the clock to rebuild the office’s network. In the interim, the Attorney General’s office is launching a hotline that will go into operation at 8 a.m. Central time Friday. The Attorney General’s office is providing additional information to answer individuals’ questions and help them protect against identity theft.

“While we do not yet know with certainty what was compromised in the ransomware attack, we are working closely with federal law enforcement authorities and outside technology experts to determine what information was exposed, how this happened, and what we can do to ensure that such a compromise does not happen again,” Raoul said. “This process will take time, but I understand that members of the public may have questions now, which is why I am establishing a toll-free hotline and making information available online. I am committed to transparency throughout this very sensitive process and will continue to provide updates that do not jeopardize the progress of our ongoing investigation or the security of our network.”

What has since been identified as a ransomware attack was initially discovered in the early hours of Saturday, April 10 when employees were unable to access the office’s network. The office launched an immediate investigation and has maintained close contact with federal law enforcement and external technology experts to determine which network components have been compromised. The office has continued regular operations to the extent possible while efforts to rebuild the network are underway.

Illinois statute requires residents to be notified if their information may have been compromised by a data breach. Accordingly, a public notification and answers to frequently asked questions related to the network compromise are now available on the Attorney General’s website. The Attorney General’s office has not yet determined what personal information on its network is impacted. However, information from the public stored on the office’s network includes names, addresses, email addresses, Social Security numbers, health insurance and medical information, tax information, and driver’s license numbers. The Attorney General’s office routinely offers guidance to help residents protect themselves from identity theft, and today’s public notice details steps people can take to protect their identities.

Attorney General Raoul also announced a dedicated toll-free hotline staffed by Rust Consulting Inc., a company that specializes in legal notifications. Beginning Friday, individuals who have questions about the network compromise can call the Attorney General’s Computer Network Compromise Hotline at 1-833-688-1949, Monday through Friday between the hours of 8 a.m. and 5 p.m. Central time.

The Attorney General’s office continues to evaluate the extent of the network compromise by ransomware. Additional details about the compromise and the personal information impacted will be made available on the Attorney General’s website, to the extent possible, upon completion of the office’s internal investigation and its work with law enforcement and external technology experts.

That is some super-dense prose right there.

- Posted by Rich Miller        

  1. - Donnie Elgin - Friday, Apr 30, 21 @ 11:03 am:

    “The leaked files include not only public information from court cases handled by the Illinois OAG, but also private documents that aren’t a part of the public record, according to security research firm Recorded Future, which detailed the leak in a post on its news portal The Record. The files contain personally identifiable information about state prisoners, their grievances and cases, according to the post”

  2. - Ron Burgundy - Friday, Apr 30, 21 @ 11:19 am:

    Of course the statute on data breach notification in IL requires notice to, guess who? I assumed the office notified itself promptly.

  3. - Sangamo Girl - Friday, Apr 30, 21 @ 11:27 am:

    And this is why I push back on every single request for my PII. My agency now requires my name, DL number, DL exp. date, and birthday on every single request . . . to use an Agency car. I don’t care how you encrypt the info, “stuff” happens.

  4. - Fav Human - Friday, Apr 30, 21 @ 11:30 am:

    malware relies on remote human operators using existing Domain Admin credentials to spread across an enterprise network,” Microsoft’s researchers explain.

    The company recommends that security administrators enforce a good credential hygiene, apply the principle of least privilege, and implement network segmentation to keep their environments protected.

    Seems like the AG is running a loose ship.

    The article is from Nov. 2019

  5. - Responsa - Friday, Apr 30, 21 @ 11:31 am:

    Wow. It’s not a great day for Illinoisans who trusted the security of their lives and financial identities to the Attorney General’s office. One would expect the AG of all people to be more immediately forthcoming and aware of his responsibilities. Most especially, the people who experienced the trauma of IDES fraud must be so happy that Kwame opened up a special department/task force to “help” them where they had to identify themselves and detail the fraud. Ugh.

  6. - zatoichi - Friday, Apr 30, 21 @ 12:01 pm:

    =The AG’s office routinely offers guidance to help residents protect themselves from identity theft, and today’s public notice details steps people can take to protect their identities.=
    They really want to say that in an article where they get hacked? How old is the current security system and who runs it? Looks like serious upgrades are needed yesterday.

  7. - DuPage - Friday, Apr 30, 21 @ 12:12 pm:

    As a law enforcement agency, they may have had routine access to all Illinois drivers license information. Will they disclose how many and how much information has been stolen?

  8. - Franklin - Friday, Apr 30, 21 @ 12:17 pm:

    They are currently pushing legislation to collect student loan data.

  9. - Responsa - Friday, Apr 30, 21 @ 12:25 pm:

    Please remember how you feel about this almost unbelievable breach as rational people from both political parties resist the idea of Illinois collecting personal and medical data for a vaccination passport.

  10. - Rich Miller - Friday, Apr 30, 21 @ 12:28 pm:

    ===resist the idea of Illinois collecting personal and medical data for a vaccination passport===


    Go take a nap.

  11. - Anyone Remember - Friday, Apr 30, 21 @ 12:34 pm:

    ===My agency now requires … DL number … every single request . . . to use an Agency car.===

    How else would you have your agency ensure you’re a licensed driver?

  12. - Ed Equity - Friday, Apr 30, 21 @ 12:48 pm:

    It was once a crazy idea that a terrorist would crash an airplane into a building, until it happened. This attack is only the staging for something much more substantial. When they have the passwords and credentials Russians, or more likely a non-government surrogate/terrorist group will attack our financial and power systems. It is not an “if” but a “when”. Just like we got caught off guard with COVID, we’re no where near ready for that much more deadly scenario. I hope this can serve as a prompt to get ready.

  13. - Merica - Friday, Apr 30, 21 @ 1:14 pm:

    The Russians have successfully hacked DOD and every major tech company, companies that spend billions on cyber security. They’ve also attacked many local and state governments.

    No State, other government, or company can protect against this. The solution is on the federal level and likely to be involves a military and economic confrontation with Putin.

    Hats off to the poor employees at the attorney general that have to deal with this and a pandemic. sucks.

  14. - Skeptic - Friday, Apr 30, 21 @ 2:01 pm:

    “How else would you have your agency ensure you’re a licensed driver?” You can do it without storing a copy of the data on a network (or a filing cabinet for that matter.) “Can I see you DL?” “Sure, here it is.” “Thank you, I’ll mark on the form that you have a valid DL.”

  15. - all luck - Friday, Apr 30, 21 @ 2:03 pm:

    It will be interesting to see how much they are able to rule out what has been hacked.

    The AG defends almost all state employee WC claims and their database for claims would have all personal identification information including SSN of anyone who has ever had a WC claim.

  16. - Candy Dogood - Friday, Apr 30, 21 @ 2:36 pm:

    I’d put a lot of good money on the security breech that was exploited being a known issue that was not fixed or addressed with updates to software or hardware. I’d also put good money, though a little less, on it being specifically linked to a a server or network of PCs still running on Windows XP.

    ===The Russians have successfully hacked DOD and every major tech company===

    And? This usually happens because of carelessness. See SolarWinds.

    ===No State, other government, or company can protect against this. ===

    This isn’t even remotely true and pretending like it is true propagates this attitude that it can’t be helped. There are plenty of companies, agencies, and governments that don’t have their stuff hacked, stolen, or ransomed. You just have to actually prioritize providing adequate training and up to date software and I think we all know that state agencies and executive offices aren’t exactly known for developing tech skills and competencies and that there are a lot of people that frankly refuse to learn or take threats seriously.

    ===The AG defends almost all state employee WC claims and their database for claims would have all personal identification information including SSN of anyone who has ever had a WC claim.===

    Relax. Equifax already made sure this was available to anyone who wanted it badly enough.

  17. - JSS - Friday, Apr 30, 21 @ 3:24 pm:

    The AG’s Office also receives unredacted records when FOIA requests are reviewed by the Public Access Counselor. This potentially could expose individuals who have absolutely no expectation the AG’s Office would be in possession of records pertaining to them.

  18. - Still Waiting - Friday, Apr 30, 21 @ 3:25 pm:

    The OMA/FOIA training portal has been down for a couple of weeks, at least. Not ideal when you have all these newly elected officials who have to complete training within 90 days of being seated.

  19. - Sangamo Girl - Friday, Apr 30, 21 @ 3:29 pm:

    What Skeptic said. There are plenty of ways to accomplish this goal without putting my PII at risk–every time I need to pick up a set of car keys.

  20. - Hector - Friday, Apr 30, 21 @ 3:38 pm:

    The irony is that its the AG’s office that’s charged with enforcing the state’s Privacy Act and policing the private sector on matters involving any breach in privacy and personal data.

  21. - Three Dimensional Checkers - Friday, Apr 30, 21 @ 4:01 pm:

    Not the prisoner grievances!

    What is AG Raoul supposed to pay taxpayer money as ransome to a (alleged) Russian cybercrime gang? Or maybe his own money? I am sure that would have gone over great in the next election.

Sorry, comments for this post are now closed.

* *** UPDATED x1 *** More campaign news
* Google eyeing Thompson Center as it plans to add 1,000 jobs in Chicago
* Election results notebook
* Raoul focuses on bipartisanship after DeVore win
* Up to a thousand steel-making jobs will be lost in Granite City
* Ken Griffin's no-good, lousy day
* Delia Ramirez's gigantic win
* Rate the new Pritzker ad
* Open thread
* SUBSCRIBERS ONLY - Today's edition of Capitol Fax (use all CAPS in password)
* Election night coverage
* Yesterday's stories

Visit our advertisers...







Main Menu
Pundit rankings
Subscriber Content
Blagojevich Trial
Updated Posts

June 2022
May 2022
April 2022
March 2022
February 2022
January 2022
December 2021
November 2021
October 2021
September 2021
August 2021
July 2021
June 2021
May 2021
April 2021
March 2021
February 2021
January 2021
December 2020
November 2020
October 2020
September 2020
August 2020
July 2020
June 2020
May 2020
April 2020
March 2020
February 2020
January 2020
December 2019
November 2019
October 2019
September 2019
August 2019
July 2019
June 2019
May 2019
April 2019
March 2019
February 2019
January 2019
December 2018
November 2018
October 2018
September 2018
August 2018
July 2018
June 2018
May 2018
April 2018
March 2018
February 2018
January 2018
December 2017
November 2017
October 2017
September 2017
August 2017
July 2017
June 2017
May 2017
April 2017
March 2017
February 2017
January 2017
December 2016
November 2016
October 2016
September 2016
August 2016
July 2016
June 2016
May 2016
April 2016
March 2016
February 2016
January 2016
December 2015
November 2015
October 2015
September 2015
August 2015
July 2015
June 2015
May 2015
April 2015
March 2015
February 2015
January 2015
December 2014
November 2014
October 2014
September 2014
August 2014
July 2014
June 2014
May 2014
April 2014
March 2014
February 2014
January 2014
December 2013
November 2013
October 2013
September 2013
August 2013
July 2013
June 2013
May 2013
April 2013
March 2013
February 2013
January 2013
December 2012
November 2012
October 2012
September 2012
August 2012
July 2012
June 2012
May 2012
April 2012
March 2012
February 2012
January 2012
December 2011
November 2011
October 2011
September 2011
August 2011
July 2011
June 2011
May 2011
April 2011
March 2011
February 2011
January 2011
December 2010
November 2010
October 2010
September 2010
August 2010
July 2010
June 2010
May 2010
April 2010
March 2010
February 2010
January 2010
December 2009
November 2009
October 2009
September 2009
August 2009
July 2009
June 2009
May 2009
April 2009
March 2009
February 2009
January 2009
December 2008
November 2008
October 2008
September 2008
August 2008
July 2008
June 2008
May 2008
April 2008
March 2008
February 2008
January 2008
December 2007
November 2007
October 2007
September 2007
August 2007
July 2007
June 2007
May 2007
April 2007
March 2007
February 2007
January 2007
December 2006
November 2006
October 2006
September 2006
August 2006
July 2006
June 2006
May 2006
April 2006
March 2006
February 2006
January 2006
December 2005
April 2005
March 2005
February 2005
January 2005
December 2004
November 2004
October 2004

Blog*Spot Archives
November 2005
October 2005
September 2005
August 2005
July 2005
June 2005
May 2005


RSS Feed 2.0
Comments RSS 2.0

Hosted by MCS SUBSCRIBE to Capitol Fax Advertise Here Mobile Version Contact Rich Miller